On Tuesday, Microsoft released 14 security updates, including fixes for the flaws in Meltdown and Spectre that were widely reported last week, plus a zero-day bug in Microsoft Office that is being exploited in the wild. Adobe separately pushed out a security update to its Flash Player software.
Meltdown and Spectre are hardware bugs that allow programs to steal data, which is currently processed on users’ personal computers, mobile devices, and in the cloud. Programs aren’t normally allowed to read data from other programs, but a malicious program can exploit these two bugs to access data stored in the memory of other running programs, such as passwords saved in a password manager or browser.
The Meltdown bug affects every Intel processor shipped since 1995. Spectre is a much more far-ranging flaw, impacting desktops, laptops, cloud servers and smartphones from a range of vendors. However, Google researchers said Spectre is also much more difficult to exploit.
Microsoft immediately addressed the issue, shipping an emergency update to fix the flaws, but many users complained that their PCs experienced the “blue screen of death” (BSOD) after applying the update. Microsoft warned this was because many antivirus programs hadn’t yet updated their software to allow its security updates to come through.
On Tuesday, Microsoft said on its support site that it was temporarily suspending the patches for computers running AMD chipsets “to prevent AMD customers from getting into an unbootable state”. The company said they were working with AMD to resume Windows OS security updates to the affected AMD devices as soon as possible.
Microsoft also issued more information about the potential performance impact on Windows computers following installation of the Spectre/Meltdown updates. In short, Microsoft assured users of Windows 7, 8.1. and 10 on older chips (2015 or earlier) that they were likely to experience a slowdown of their computer after applying this update.
Krebs minced no words in saying, “As evidenced by this debacle, it’s a good idea to get into the habit of backing up your system on a regular basis. I typically do this at least once a month — but especially right before installing any updates from Microsoft.”
In addition, Microsoft released 56 separately identified security patches for every supported version of Windows, Office, Internet Explore, Edge and .Net. According to Woody Leonhard, Computerworld columnist, the only patch of those which cures a currently exploited problem is a flaw in Word’s Equation Editor which should have been fixed in November.
Leonhard assures readers that they don’t need to get the Meltdown/Spectre patches installed immediately despite the “dire warnings all over the web”, and that even if they do, they are unlikely to notice the variance in speed that results.
He tells readers to focus on “getting your antivirus house in order”, assuring that “your 3-year-old PC isn’t going to turn into a pile of sludge”. He goes on to add that there are currently no known exploits for Meltdown or Spectre in the wild, so there is no need to panic. He guesses that when the first exploit does occur, it will happen through web browsers or via high-stakes servers in banking, the military or cryptocurrency fields, not on individual machines.
The other takeaway Leonhard offers is “if you open Word docs with compromised Equation Editor components, you can get pwned”. Equation Editor allows users to put equations into documents. This patch to solve the CVE-2018-0802 is urgent if you use the program.